The TransferOutAndCallV5
event is not caught by smartcontract_log_parser.go
#121
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
🤖_19_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/main/bifrost/pkg/chainclients/shared/evm/smartcontract_log_parser.go#L22-L26
https://github.com/code-423n4/2024-06-thorchain/blob/main/bifrost/pkg/chainclients/shared/evm/smartcontract_log_parser.go#L295-L337
Vulnerability details
Impact
The contract and more precisely the events of the version 5 of the protocol are not integrated as expected.
Actions that should be undertaken by the Bifrost are ignored, leading to inconsistencies in the entire protocol such as accounting errors and potential loss of funds.
Proof of concept
In the previous version of the protocol, the
smartcontract_log_parser.go
was responsible for listening to multiple events emitted byTHORChain_Router.sol
:https://github.com/code-423n4/2024-06-thorchain/blob/main/bifrost/pkg/chainclients/shared/evm/smartcontract_log_parser.go#L22-L26
Once one of these events has been intercepted, it is parsed and actions are undertaken by Bifrost depending on the nature of the emission.
One of these actions is
transferOutAndCallEvent
, described here and is triggered in thetransferOutAndCall()
function of the smart contract.The version 5 of the protocol introduced a similar event in a new function of the smart contract called
_transferOutAndCallV5()
which emitsTransferOutAndCallV5
.As you can see, this particular event does not figure in the list of events in
smartcontract_log_parser.go
and is thus never intercepted nor processed while it should be.Tools used
Manual review
Recommended mitigation steps
Define the corresponding event in
smartcontract_log_parser.go
and implement the actions to undertake when it is intercepted.Assessed type
Context
The text was updated successfully, but these errors were encountered: